Bitcoin Cryptocurrency Stock Market
High-risk facilities that produce dangerous chemicals or explosives are at increased risk of cyberattack because of outdated federal security guidelines, a government watchdog agency said.
The U.S. Government Accountability Office said that a failure to fix these issues could leave chemical facilities more vulnerable to hackers, who could seize control of industrial systems to release hazardous substances and inflict mass casualties.
The Chemical Facility Anti-Terrorism Standards program, or CFATS, operated by the Department of Homeland Security since 2007, is responsible for auditing around 3,300 U.S. facilities that handle sensitive chemicals such as chlorine or ammonia to ensure that cybersecurity measures are met.
A report published May 14 by the GAO, an investigative agency for Congress, found that cybersecurity standards haven’t been updated by DHS in more than 10 years. There were also significant gaps in oversight within the CFATS program, including a lack of formal processes to track cybersecurity skills or training among the program’s inspectors.
Nathan Anderson, a director in the Homeland Security and Justice division of the GAO, said that while many of the larger facility operators go beyond the requirements of the CFATS program for their cybersecurity process, smaller operators might not have the resources to do so and rely on the guidelines for direction.
“If they’re relying on guides that are 10 years old, in such a quickly evolving landscape, then they may not be getting the information from the federal government that they need to adequately protect their facilities,” he said.
Real Life. Real News. Real Voices
Help us tell more of the stories that matterBecome a founding member
The risk of a successful cyberattack has increased, the GAO said, due to efforts by some critical-infrastructure operators to link systems that control physical and digital operations. It cited a successful cyberattack on Ukranian electricity utilities in 2015 as evidence that such initiatives can increase efficiencies but be vulnerable to attack. In that event, three electricity distributors were taken offline after hackers penetrated business computer systems and used them to access the networks that ran operational control systems. The virus used in that attack later spread to a number of global companies in other countries.
Military and law-enforcement agencies are increasingly concerned that critical infrastructure sectors in the U.S. are prime targets for hackers. In December, the U.S. Coast Guard issued an alert regarding a ransomware attack on a natural gas facility that resulted in operations being shut down for 30 hours, while in January, an alert from the Cybersecurity and Infrastructure Security Agency warned of possible cyberattacks from Iran. That alert came after Maj. Gen. Qassem Soleimani, leader of the foreign wing of Iran’s Islamic Revolutionary Guard Corps, was killed in an airstrike by U.S. forces on Jan. 2.
The GAO issued six recommendations for overhauling the CFATS program, including regular revisions of the standards to reflect internal government protocols that require regular reviews of such guidelines. It also recommended that information on cybersecurity preparedness at these facilities be made readily available to inspectors. While this information is collected, the report found, it cannot be easily searched or extracted.
In its response to the report, DHS agreed with all six recommendations. It noted that training does take place but said it would better track this information and that it would work with an outside contractor to improve the accessibility of the data it already collects. Responsibility for these tasks was assigned to CISA. A representative for the agency said that it considers the GAO’s recommendations to be reasonable and that it has begun to address them.
Mr. Anderson said that the agency will give CISA six months to decide how best to implement the recommendations, and will then follow up to ensure that it does so.
“We hold ourselves accountable to Congress for closing recommendations only when the agency has actually implemented the spirit of what we’ve asked them to do,” he said. “This is not a paperwork exercise.”
Write to James Rundle at [email protected]
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe